<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom"><title>GNUcode.me</title><id>https://gnucode.me/feeds/tags/nftables firewall.xml</id><subtitle>Tag: nftables firewall</subtitle><updated>2024-05-08T13:40:23Z</updated><link href="https://gnucode.me/feeds/tags/nftables firewall.xml" rel="self" /><link href="https://gnucode.me" /><entry><title>Setting up a Firewall</title><id>https://gnucode.me/setting-up-a-firewall.html</id><author><name>Joshua Branson</name><email>jbranso@dismail.de</email></author><updated>2023-01-23T13:00:00Z</updated><link href="https://gnucode.me/setting-up-a-firewall.html" rel="alternate" /><content type="html">&lt;p&gt;Edit: Feb 12: The below firewall does NOT work. I currently do NOT use a
firewall on my servers.&lt;/p&gt;&lt;p&gt;So my guix system servers have been running without a firewall.  I have decided
to actually fix that.  Unfortunately, OpenBSD’s pf does not work on linux.  It
seems like the best packaged firewall for GNU Guix System is currently provided
by the netfilter service.  Luckily Guix’s default server provides a good basic
configuration for enabling ssh access to the machine.  That configuration looks
like this:&lt;/p&gt;&lt;pre&gt;&lt;code&gt;table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # early drop of invalid connections
    ct state invalid drop

    # allow established/related connections
    ct state { established, related } accept

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport ssh accept

    # reject everything else
    reject with icmpx type port-unreachable
  }
  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;So it looks like I just need to add in policies just after the &lt;code&gt;#allow ssh&lt;/code&gt;
line.&lt;/p&gt;&lt;p&gt;It seems like the easiest way to test this service out, is to first, &lt;code&gt;guix install nft&lt;/code&gt;, then put your configuration into a file.  Then load in those
firewall rules via &lt;code&gt;sudo nft -f nftables.conf&lt;/code&gt;.  If those rules end up breaking
things, you can revert the firewall to allow everything via &lt;code&gt;sudo nft flush ruleset&lt;/code&gt;.  You can also list the current ruleset via &lt;code&gt;sudo nft list ruleset&lt;/code&gt;.
You can also check the syntax in &lt;code&gt;nftables.conf&lt;/code&gt; via &lt;code&gt;sudo nft -cf nftable.conf&lt;/code&gt;.&lt;/p&gt;&lt;p&gt;Well I had a firewall working fairly well.  I tested the firewall rules via
&lt;code&gt;sudo nft -f nftables-lamora.conf&lt;/code&gt;, and it worked really well. But this scheme
code seemed to break everything on the server.  Now, I can’t login to lamora and
the websites it hosts are not working.&lt;/p&gt;&lt;pre&gt;&lt;code&gt;(service nftables-service-type
         (nftables-configuration
          (ruleset
           (mixed-text-file &amp;quot;nftables.conf&amp;quot;
                            &amp;quot;./nftables-lamora.conf&amp;quot;))))&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;I reached out to linode support, and I am able to boot the machine in a rescue
image, which is pretty awesome.  From there I might be able to mount the
&lt;code&gt;/dev/sda&lt;/code&gt; drive such that &lt;code&gt;/gnu/store&lt;/code&gt; is set up properly.  But I think that is
pretty much beyond me.  Too much work to get correct.  So instead, I shall start
from scratch I suppose.  :(&lt;/p&gt;&lt;p&gt;What if I had just run,&lt;/p&gt;&lt;pre&gt;&lt;code&gt;mount /dev/sda /mnt
chroot /mnt
sudo guix system roll-back&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;That might have worked.  But it also might not have and it might have just taken me
longer too.&lt;/p&gt;&lt;p&gt;Looks like I have a small basic guix image lying around that I can tell linode
to use.  Let’s try that.&lt;/p&gt;&lt;p&gt;Well that caused a kernel panic. That didn’t work. Probably because I told
linode to set the root password, and linode doesn’t know how to mess with guix
system?&lt;/p&gt;&lt;p&gt;So I whiped my linode server, and started over.  And it looks like
I need to modify the current cookbook entry about running guix system on linode via
adding in&lt;/p&gt;&lt;p&gt;&lt;code&gt;sudo apt-get update&lt;/code&gt;, then &lt;code&gt;sudo apt-get install gpg&lt;/code&gt;.&lt;/p&gt;&lt;p&gt;Here are some of the commands that I used to set up my new linode server.  It's on the
same IP address.  It's currently hosting gnucode.me.&lt;/p&gt;&lt;pre&gt;&lt;code&gt;wget https://notabug.org/jbranso/linode-guix-system-configuration/raw/master/gnucode.me-initial-config.scm
mount /dev/sdc /mnt
sudo guix system reconfigure locke-lamora-initial-config.scm
guix install git
mkdir -p ~/prog/gnu/guix/guix-config/
cd ~/prog/gnu/guix/guix-config/
git clone https://notabug.org/jbranso/linode-guix-system-configuration
cd ../
git clone https://git.sr.ht/~whereiseveryone/guixrus
sudo mkdir -p /srv/www/html&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Now I need to git clone my various static websites on the server.&lt;/p&gt;&lt;pre&gt;&lt;code&gt;cd /srv/www/html
sudo git clone https://notabug.org/jbranso/gnucode.me.git
sudo git clone https://notabug.org/jbranso/propernaming.git
sudo git clone https://notabug.org/jbranso/gnu-hurd.com.git
sudo mv propernaming propernaming.org&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;So I believe that I need to chmod the files in /srv/www/html, so that nginx can
actually serve them. Unfortunately, I cannot do a &lt;code&gt;sudo chown -R nginx /srv&lt;/code&gt;,
because my current guix system does not have an nginx user yet. But I believe
that I can still reconfigure the system, even if nginx will not be able to serve
the html files. After I have reconfigured, then I should be able chown the owner
of /srv to nginx. In the end I actually just did a &lt;code&gt;cd /srv; sudo chmod -R o+r *&lt;/code&gt; and just made every file readable by everyone. That sort of violates the
principle of least privledge, oh well.&lt;/p&gt;&lt;p&gt;Now that I have made some modifications to my gnucode.me-current-config.scm that
comments out various certificate files that are not there yet, I can attempt to
reconfigure on the server:&lt;/p&gt;&lt;pre&gt;&lt;code&gt;cd prog/gnu/guix/guix-config/linode-guix-system-configuration/
sudo guix system reconfigure gnucode.me-current-config.scm

guix system: error: aborting reconfiguration because commit
9fe5b490df83ff32e2e0a604bf636eca48b9e240 of channel 'guix' is not a descendant
of 900d33527c9286a811f064d4bb8f4a9b18d1db0b&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Well let’s try this updating everything.  And I believe that you need to do a
guix pull as root at least once.&lt;/p&gt;&lt;pre&gt;&lt;code&gt;su
guix pull;
exit;
guix pull;&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Oh yeah, I also need to power down my linode, delete the debian partition, and
resize the guix partition to full size.&lt;/p&gt;&lt;p&gt;Now I believe that I cannot reconfigure my server with the current
&lt;code&gt;gnucode.me-current-config.scm&lt;/code&gt;, because nginx will fail to start because the
letsencrypt scripts are not there yet. So I need to modify the nginx bits before
I can start the service. I also decided to set up &lt;code&gt;guix deploy&lt;/code&gt; on my gnucode.me
machine, so that reconfiguring the remote server is faster.&lt;/p&gt;&lt;p&gt;Ok, so I have my current-config for gnucode.me deployed.  Geez, guix deploy is
sooo super fast!  And all you need to do is to set up ssh-agent  and customize a
deployment list.  I set up ssh-agent via my &lt;code&gt;.bash_profile&lt;/code&gt;&lt;/p&gt;&lt;pre&gt;&lt;code&gt;cat .bash_profile | grep eval -A 1

if [[ -z $DISPLAY ]] &amp;amp;&amp;amp; [[ $(tty) = /dev/tty6 ]]; then
    eval `ssh-agent -s`
    ssh-add
    exec dbus-run-session sway
fi&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Now all you need to do is customize this:&lt;/p&gt;&lt;pre&gt;&lt;code&gt;(list (machine
       (operating-system %system)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
                       (host-name &amp;quot;45.56.66.20&amp;quot;)
                       (system &amp;quot;x86_64-linux&amp;quot;)
                       (user &amp;quot;joshua&amp;quot;)
                       (identity &amp;quot;~/.ssh/id_rsa&amp;quot;)
                       (host-key &amp;quot;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgL0hBTWmCVGGvNJYa+YS+fEXs89v0GbdkQ+M+LdZlf root@(none)&amp;quot;)
                       (port 63355)))))&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;The port is the ssh port.  And the ssh-ed25519 is found on your remote server’s
&lt;code&gt;etc/ssh/ssh_host_ed25519_key.pub&lt;/code&gt; file.&lt;/p&gt;&lt;p&gt;Now nginx serves my websites via http.  Let’s get https working.&lt;/p&gt;&lt;pre&gt;&lt;code&gt;sudo /var/lib/certbot/renew-certificates&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Alright, now I can set up my config.scm to allow nginx to serve web traffic via https.&lt;/p&gt;&lt;p&gt;Well, can I get a nftables service running now?&lt;/p&gt;&lt;p&gt;At first it seemed that &lt;code&gt;(service nftables-service-type)&lt;/code&gt; is apparently good
enough to be a decent firewall for my server. Then very quickly I realized that
it was a terrible firewall for a server, because it blocked all http and https
traffic.&lt;/p&gt;&lt;p&gt;It looks like the arch linux wiki has a decent configuration example for a server:&lt;/p&gt;&lt;p&gt;https://wiki.archlinux.org/title/Nftables#Examples&lt;/p&gt;&lt;p&gt;So I just took the example nftables configuration for a server and used that.
The configuration file is here:&lt;/p&gt;&lt;p&gt;https://notabug.org/jbranso/linode-guix-system-configuration/src/master/nftables.scm&lt;/p&gt;&lt;p&gt;Let me know if you see that I did something silly in it, because I probably did.&lt;/p&gt;&lt;p&gt;Bonus paragraph! It took me about 2-4 hours to re-set up my server just the way
it was before, except I haven't set up email yet. If you crashed your server
lost your backups, how long would it take you to set up you server, just as it
was? 2-4 hours is longer than I expected, but I think guix's declarative
approach certainly is pretty awesome!&lt;/p&gt;</content></entry></feed>